Description
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
Published: 2026-06-04
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect permission checks in Octopus Server. As a result, any authenticated user can invoke a particular API endpoint to make server‑level changes, even though the system reports an error. This flaw enables modification of configuration that should be restricted to privileged users, potentially compromising the integrity of the deployment environment.

Affected Systems

The affected product is Octopus Deploy Octopus Server. Specific product versions are not provided, so all currently deployed instances of Octopus Server are potentially vulnerable until a patch that restores proper access control is applied. The issue is limited to the server component and does not affect the client or agent.

Risk and Exploitability

The CVSS score of 6.0 indicates moderate severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must already possess valid credentials to exploit the flaw. Once authenticated, the attacker can manipulate the server using the susceptible API, leading to unintended configuration changes that could compromise system integrity. The exploitation does not require remote code execution, but the impact on system integrity could be significant.

Generated by OpenCVE AI on June 4, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that fixes the permission check on the vulnerable API endpoint.
  • If an update is not immediately possible, restrict the API permissions of non‑admin users to read‑only roles or disable the endpoint until the fix is applied.
  • Monitor and audit API usage logs for unusual activity and enforce network segmentation so that only trusted components can reach the Server API.

Generated by OpenCVE AI on June 4, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Octopus
Octopus octopus Server
Vendors & Products Octopus
Octopus octopus Server

Thu, 04 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Improper Permission Checks Allow Server‑Level Configuration Changes via API

Thu, 04 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Authenticated User Can Perform Server‑Level Changes via API in Octopus Server
Weaknesses CWE-285

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Title Authenticated User Can Perform Server‑Level Changes via API in Octopus Server
Weaknesses CWE-285

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Octopus Octopus Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Octopus

Published:

Updated: 2026-06-04T13:05:54.396Z

Reserved: 2026-03-26T07:19:05.417Z

Link: CVE-2026-4881

cve-icon Vulnrichment

Updated: 2026-06-04T13:05:47.492Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T10:16:39.723

Modified: 2026-06-04T15:48:43.743

Link: CVE-2026-4881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:45:35Z

Weaknesses